Protect the attachments directory on NGINX

NGINX works differently from Apache web server, and ignores the .htaccess rules that we add to protect the attachments directory. Since version 2.7.1, PDF invoices uses a randomized folder path for storing the temporary files, making it practically impossible for anyone to access the files without immense computing power and a lot of patience to find this folder. While we are confident that this offers enough protection, we also offer other ways to add additional protection on top of this.

Basically, there are two options: using a filter to change the default path or adding a location rule directly in the NGINX domain configuration file.

You just need to place the code snippet below inside your theme functions.php file:

add_filter('wpo_wcpdf_tmp_path', function( $tmp_base ) {
	/*
	 * This is an example of a path, please check your current server directory structure.
	 * It's recommended to have it outside the /public/ directory.
	*/
	$tmp_base = '/home/domains/yourdomain.com/woocommerce-invoices/';
	return $tmp_base;
});

Alternatively you could use dirname(ABSPATH); to determine the path:

add_filter('wpo_wcpdf_tmp_path', function( $tmp_base ) {
    return trailingslashit(dirname(ABSPATH)).'woocommerce-invoices/';
});

If you manage or have root access to your server you can add the rule below inside your domain configuration file:

location ~* /wpo_wcpdf/.*\.pdf$ {
    deny all;
}

Restart your web server:

server nginx restart

If you don’t have access to this file, please contact you hosting service provider and share this guide with them.